diff options
author | Sven Wegener <swegener@gentoo.org> | 2017-11-27 17:32:38 +0000 |
---|---|---|
committer | Sven Wegener <swegener@gentoo.org> | 2017-11-27 17:36:52 +0000 |
commit | fe96aad50c79942fdd5fa760b018b44e2eb68df1 (patch) | |
tree | 44546a60d6e95500bb3f67ef7e398c243a3e7ad7 | |
parent | net-dns/pdns: Revision bump, security bug #638566 (diff) | |
download | gentoo-fe96aad50c79942fdd5fa760b018b44e2eb68df1.tar.gz gentoo-fe96aad50c79942fdd5fa760b018b44e2eb68df1.tar.bz2 gentoo-fe96aad50c79942fdd5fa760b018b44e2eb68df1.zip |
net-dns/pdns-recursor: Revision bump, security bug #638568
Package-Manager: Portage-2.3.14, Repoman-2.3.6
Signed-off-by: Sven Wegener <swegener@gentoo.org>
-rw-r--r-- | net-dns/pdns-recursor/Manifest | 4 | ||||
-rw-r--r-- | net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch | 15 | ||||
-rw-r--r-- | net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch | 85 | ||||
-rw-r--r-- | net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch | 47 | ||||
-rw-r--r-- | net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch | 28 | ||||
-rw-r--r-- | net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild | 79 |
6 files changed, 256 insertions, 2 deletions
diff --git a/net-dns/pdns-recursor/Manifest b/net-dns/pdns-recursor/Manifest index 6d455d532405..add5cf30b79f 100644 --- a/net-dns/pdns-recursor/Manifest +++ b/net-dns/pdns-recursor/Manifest @@ -1,2 +1,2 @@ -DIST pdns-recursor-4.0.6.tar.bz2 1105423 SHA256 f2182ac644268bb08b865a71351f11d75c5015ac0608a1469eb4c1cd5494d60d SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159 WHIRLPOOL a2eece8a6cdfcd6c791cb6fa42053d524b4e54f1431d78345640d7f2d9f3079939c7905767abe65abb977bce45647fb7232d1148dac13737625ee4bfae221da8 -DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 SHA256 0b8bc3fec4cd39c62e53993ab7a87fc1f2b3d200df071a401775f33e47392169 SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d WHIRLPOOL b6e1c3cb233aff0ac10e1d0d4b5e3de508cf657e1f3fa27c3692e38c90f7af82cc6afe499915d1dbd78cdd5d5eb2ec814b2f3ae86ae6a3f353321abfbe191691 +DIST pdns-recursor-4.0.6.tar.bz2 1105423 BLAKE2B 50cc52f118630d4d8ce9876c2e11494a3c972ec90003c40fea36801eb08bd8b6173f876e6f53eb672ad8ff3da04e669946740a50f653a21459f25c1137d91297 SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159 +DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 BLAKE2B fcbc6f08f962c9c2f459448770406734eff2caab43b615690e9d910b65327e45182aa2c9bcadadeaa6eb3984a8cb463849d5e001ffb98bb618966da5b8557a8a SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d diff --git a/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch new file mode 100644 index 000000000000..fa0bfd099abf --- /dev/null +++ b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch @@ -0,0 +1,15 @@ +diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc pdns-recursor-4.0.6/validate-recursor.cc +--- pdns-recursor-4.0.6.orig/validate-recursor.cc 2017-07-04 17:43:07.000000000 +0200 ++++ pdns-recursor-4.0.6/validate-recursor.cc 2017-11-02 18:29:16.612520450 +0100 +@@ -87,6 +87,11 @@ + bool first = true; + for(const auto& csp : cspmap) { + for(const auto& sig : csp.second.signatures) { ++ ++ if (!csp.first.first.isPartOf(sig->d_signer)) { ++ return increaseDNSSECStateCounter(Bogus); ++ } ++ + vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here + + if (newState == Bogus) // No hope diff --git a/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch new file mode 100644 index 000000000000..1425c33586c2 --- /dev/null +++ b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch @@ -0,0 +1,85 @@ +diff -ru pdns-recursor-4.0.6.orig/html/local.js pdns-recursor-4.0.6/html/local.js +--- pdns-recursor-4.0.6.orig/html/local.js 2017-07-04 17:43:07.000000000 +0200 ++++ pdns-recursor-4.0.6/html/local.js 2017-11-02 18:26:04.624586674 +0100 +@@ -63,7 +63,7 @@ + + $.getJSON(qstring, + function(data) { +- var bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>"; ++ var table = $('<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr></table>'); + var num=0; + var total=0, rest=0; + $.each(data["entries"], function(a,b) { +@@ -75,12 +75,26 @@ + if(b[1].length > 25) + b[1]=b[1].substring(0,25); + +- bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>"); +- }); +- bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>"; +- bouw=bouw+"</table>"; +- $("#queryring").html(bouw); +- ++ var line = $('<tr />'); ++ var number = $('<td />'); ++ number.text(b[0]); ++ var domain = $('<td />'); ++ domain.text(b[1]); ++ var type = $('<td />'); ++ type.text(b[2]); ++ line.append(number); ++ line.append(domain); ++ line.append(type); ++ table.append(line); ++ }); ++ var line = $('<tr />'); ++ var number = $('<td />'); ++ number.text(rest); ++ var label = $('<td>Rest</td>'); ++ line.append(number); ++ line.append(label); ++ table.append(line); ++ $("#queryring").html(table); + }); + + filtered=$("#filter2").is(':checked') +@@ -91,7 +105,7 @@ + + $.getJSON(qstring, + function(data) { +- var bouw="<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr>"; ++ var table = $('<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr></table>'); + var num=0, total=0, rest=0; + $.each(data["entries"], function(a,b) { + total+=b[0]; +@@ -101,11 +115,26 @@ + } + if(b[1].length > 25) + b[1]=b[1].substring(0,25); +- bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>"); ++ var line = $('<tr />'); ++ var number = $('<td />'); ++ number.text(b[0]); ++ var domain = $('<td />'); ++ domain.text(b[1]); ++ var type = $('<td />'); ++ type.text(b[2]); ++ line.append(number); ++ line.append(domain); ++ line.append(type); ++ table.append(line); + }); +- bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>"; +- bouw=bouw+"</table>"; +- $("#servfailqueryring").html(bouw); ++ var line = $('<tr />'); ++ var number = $('<td />'); ++ number.text(rest); ++ var label = $('<td>Rest</td>'); ++ line.append(number); ++ line.append(label); ++ table.append(line); ++ $("#servfailqueryring").html(table); + + }); + diff --git a/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch new file mode 100644 index 000000000000..2695830b4420 --- /dev/null +++ b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch @@ -0,0 +1,47 @@ +diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc pdns-recursor-4.0.6/ws-recursor.cc +--- pdns-recursor-4.0.6.orig/ws-recursor.cc 2017-07-04 17:43:07.000000000 +0200 ++++ pdns-recursor-4.0.6/ws-recursor.cc 2017-11-02 18:13:55.762458134 +0100 +@@ -76,10 +76,11 @@ + throw ApiException("'value' must be an array"); + } + ++ NetmaskGroup nmg; + for (auto value : jlist.array_items()) { + try { +- Netmask(value.string_value()); +- } catch (NetmaskException &e) { ++ nmg.addMask(value.string_value()); ++ } catch (const NetmaskException &e) { + throw ApiException(e.reason); + } + } +@@ -91,9 +92,7 @@ + + // Clear allow-from, and provide a "parent" value + ss << "allow-from=" << endl; +- for (auto value : jlist.array_items()) { +- ss << "allow-from+=" << value.string_value() << endl; +- } ++ ss << "allow-from+=" << nmg.toString() << endl; + + apiWriteConfigFile("allow-from", ss.str()); + +@@ -201,10 +200,15 @@ + if (server == "") { + throw ApiException("Forwarded-to server must not be an empty string"); + } +- if (!serverlist.empty()) { +- serverlist += ";"; ++ try { ++ ComboAddress ca = parseIPAndPort(server, 53); ++ if (!serverlist.empty()) { ++ serverlist += ";"; ++ } ++ serverlist += ca.toStringWithPort(); ++ } catch (const PDNSException &e) { ++ throw ApiException(e.reason); + } +- serverlist += server; + } + if (serverlist == "") + throw ApiException("Need at least one upstream server when forwarding"); diff --git a/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch new file mode 100644 index 000000000000..ee7cf6878d98 --- /dev/null +++ b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch @@ -0,0 +1,28 @@ +diff -ru pdns-recursor-4.0.6.orig/opensslsigners.cc pdns-recursor-4.0.6/opensslsigners.cc +--- pdns-recursor-4.0.6.orig/opensslsigners.cc 2017-07-04 17:43:07.000000000 +0200 ++++ pdns-recursor-4.0.6/opensslsigners.cc 2017-11-02 18:18:37.489408103 +0100 +@@ -474,7 +474,7 @@ + if (iqmp == NULL) { + RSA_free(key); + BN_clear_free(dmq1); +- BN_clear_free(iqmp); ++ BN_clear_free(dmp1); + throw runtime_error(getName()+" allocation of BIGNUM iqmp failed"); + } + RSA_set0_crt_params(key, dmp1, dmq1, iqmp); +@@ -562,6 +562,7 @@ + BIGNUM *n = BN_bin2bn((unsigned char*)modulus.c_str(), modulus.length(), NULL); + if (!n) { + RSA_free(key); ++ BN_clear_free(e); + throw runtime_error(getName()+" error loading n value of public key"); + } + +@@ -866,6 +867,7 @@ + + int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx); + if (ret != 1) { ++ EC_POINT_free(pub_key); + throw runtime_error(getName()+" reading ECP point from binary failed"); + } + diff --git a/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild new file mode 100644 index 000000000000..f9b248316b36 --- /dev/null +++ b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild @@ -0,0 +1,79 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit toolchain-funcs flag-o-matic eutils versionator + +DESCRIPTION="The PowerDNS Recursor" +HOMEPAGE="https://www.powerdns.com/" +SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="lua luajit protobuf systemd" +REQUIRED_USE="?? ( lua luajit )" + +DEPEND="lua? ( >=dev-lang/lua-5.1:= ) + luajit? ( dev-lang/luajit:= ) + protobuf? ( + dev-libs/protobuf + >=dev-libs/boost-1.42:= + ) + systemd? ( sys-apps/systemd:0= ) + >=dev-libs/boost-1.35:=" +RDEPEND="${DEPEND} + !<net-dns/pdns-2.9.20-r1" +DEPEND="${DEPEND} + virtual/pkgconfig" + +S="${WORKDIR}"/${P/_/-} + +PATCHES=( + "${FILESDIR}"/CVE-2017-{15090,15092,15093,15094}-4.0.6.patch +) + +pkg_setup() { + filter-flags -ftree-vectorize +} + +src_configure() { + econf \ + --sysconfdir=/etc/powerdns \ + $(use_enable systemd) \ + $(use_with lua) \ + $(use_with luajit) \ + $(use_with protobuf) +} + +src_install() { + default + + mv "${D}"/etc/powerdns/recursor.conf{-dist,} + + # set defaults: setuid=nobody, setgid=nobody + sed -i \ + -e 's/^# set\([ug]\)id=$/set\1id=nobody/' \ + -e 's/^# quiet=$/quiet=on/' \ + -e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \ + "${D}"/etc/powerdns/recursor.conf + + newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor + + keepdir /var/lib/powerdns +} + +pkg_postinst() { + local old + + for old in ${REPLACING_VERSIONS}; do + version_compare ${old} 4.0.0-r1 + [[ $? -eq 1 ]] || continue + + ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor" + ewarn "to pdns-recursor, please update your runlevels accordingly." + + break + done +} |